Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70101

CVE-2025-70101: lwext4 Library DoS Vulnerability

CVE-2025-70101 is an out-of-bounds read denial of service flaw in lwext4 1.0.0 library's ext4_ext_binsearch_idx function that allows attackers to crash systems using crafted filesystem images. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-70101 Overview

CVE-2025-70101 is an out-of-bounds read vulnerability in the ext4_ext_binsearch_idx function located in src/ext4_extent.c of the lwext4 1.0.0 library. The flaw allows attackers to trigger a denial of service by supplying a specially crafted ext4 filesystem image. The vulnerability stems from insufficient validation of extent header fields before performing a binary search over extent index entries. This leads to invalid pointer calculations and an out-of-bounds memory read during extent tree traversal. The weakness is classified under [CWE-125] (Out-of-bounds Read).

Critical Impact

Attackers can crash applications or services that mount and parse untrusted ext4 filesystem images using the lwext4 library, resulting in denial of service.

Affected Products

  • lwext4 library version 1.0.0
  • Embedded systems and applications that link against lwext4 for ext4 filesystem support
  • Firmware or recovery tools that parse ext4 images using lwext4

Discovery Timeline

  • 2026-06-03 - CVE-2025-70101 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2025-70101

Vulnerability Analysis

The vulnerability resides in the ext4_ext_binsearch_idx function, which performs a binary search across extent index entries during ext4 extent tree traversal. The function relies on values stored in the extent header to determine the range of valid index entries. When these header fields contain attacker-controlled or malformed values, the binary search routine computes pointer offsets that fall outside the bounds of the allocated extent block.

As a result, the function reads memory beyond the intended buffer. The read operation can dereference invalid memory regions, causing the host process to terminate. The issue requires user interaction to load a crafted filesystem image, which aligns with typical mount or image-parsing workflows.

Root Cause

The root cause is missing validation of the extent header fields prior to the binary search. The lwext4 code path trusts the entry count and depth values supplied by the on-disk structure without verifying they are consistent with the block size or allocation boundaries. Without these sanity checks, pointer arithmetic inside ext4_ext_binsearch_idx can dereference memory outside the extent block.

Attack Vector

An attacker crafts a malicious ext4 filesystem image with manipulated extent header metadata. The attacker delivers the image through any channel that ultimately causes the target application to parse it using lwext4, such as a removable medium, downloaded disk image, or network-delivered firmware package. When the victim mounts or scans the image, the parsing routine traverses the extent tree and triggers the out-of-bounds read. The result is a process crash leading to denial of service. The vulnerability affects confidentiality of process memory through the read primitive but does not enable code execution per the available analysis.

A proof-of-concept image and crash artifact are referenced in the GitHub PoC for lwext4 repository.

Detection Methods for CVE-2025-70101

Indicators of Compromise

  • Repeated SIGSEGV or SIGBUS crashes in processes linked against the lwext4 library
  • Core dumps showing faulting instruction inside ext4_ext_binsearch_idx or adjacent extent-handling routines
  • Unexpected mount failures or parser termination when handling ext4 images from untrusted sources

Detection Strategies

  • Inventory all applications, firmware images, and embedded devices that statically or dynamically link lwext4 1.0.0
  • Apply fuzzing or static analysis to identify code paths that pass untrusted ext4 images into lwext4 parsing functions
  • Review crash telemetry for stack traces referencing ext4_extent.c symbols

Monitoring Recommendations

  • Capture and centralize crash reports from systems that process ext4 disk images, including embedded and IoT devices
  • Alert on process termination signals originating from ext4 mount or image-inspection utilities
  • Track file integrity and provenance for ext4 images introduced through removable media or external downloads

How to Mitigate CVE-2025-70101

Immediate Actions Required

  • Identify and isolate systems that parse untrusted ext4 filesystem images with lwext4 1.0.0
  • Restrict mounting or scanning of ext4 images to trusted sources until a fix is applied
  • Track the upstream issue at GitHub Issue #91 for fix availability

Patch Information

No official vendor patch is referenced in the available CVE data at publication. Maintainers and integrators should monitor the upstream lwext4 repository and apply validation patches that verify extent header fields before invoking the binary search routine. Downstream consumers should rebuild and redistribute affected firmware once a fix is merged.

Workarounds

  • Refuse to parse ext4 images that originate from untrusted users or unauthenticated network sources
  • Sandbox or containerize the parsing process so that a crash does not affect the host application
  • Add a wrapper that validates extent header entry counts and depth values against block size before calling lwext4 parsing routines
bash
# Configuration example - inventory binaries linking against lwext4 on Linux hosts
for bin in $(find / -type f -executable 2>/dev/null); do
  if ldd "$bin" 2>/dev/null | grep -q "lwext4"; then
    echo "lwext4 dependency: $bin"
  fi
done

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.